Abstract
This paper introduces two new attacks on PKCS#1 V1.5, an RSA-based encryption standard proposed by RSA Laboratories. As opposed to Bleichenbacher’s attack, our attacks are chosen-plaintext only, i.e. they do not make use of a decryption oracle. The first attack applies to small public exponents and shows that a plaintext ending by sufficiently many zeroes can be recovered efficiently when two or more ciphertexts corresponding to the same plaintext are available. We believe the technique we employ to be of independent interest, as it extends Coppersmith’s low-exponent attack to certain length parameters. Our second attack is applicable to arbitrary public exponents, provided that most message bits are zeroes. It seems to constitute the first chosen-plaintext attack on an RSA-based encryption standard that yields to practical results for any public exponent.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full chapter text
Chapter PDF
References
M. Bellare and P. Rogaway, Optimal Asymmetric Encryption, Advances in Cryptology — Eurocrypt’ 94, vol. 950 of Lecture Notes in Computer Science, pp. 92–111, Springer-Verlag, 1994.
D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1, Advances in Cryptology — Crypto’ 98, vol. 1462 of Lecture Notes in Computer Science, pp. 1–12, Springer-Verlag, 1998.
D. Boneh, Personal communication.
R. Brent, An improved Monte Carlo factorization algorithm, Nordisk Tidskrift för Informationsbehandling (BIT) vol. 20, pp. 176–184, 1980.
D. Coppersmith, Finding a small root of a univariate modular equation, Advances in Cryptology — Eurocrypt’ 96, vol. 1070 of Lecture Notes in Computer Science, pp. 155–165, Springer-Verlag, 1996.
D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. of Cryptology, 10(4), pp. 233–260, 1997.
D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, Low exponent RSA with related messages, Advances in Cryptology — Eurocrypt’ 96, vol. 1070 of Lecture Notes in Computer Science, pp. 1–9, Springer-Verlag, 1996.
Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, Advances in Cryptology — Crypto’ 85, vol. 218 of Lecture Notes in Computer Science, pp. 516–522, Springer-Verlag, 1986.
K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv för matematik, astronomi och fysik, vol. 22A, no. 10, pp. 1–14, 1930.
G.H. Hardy and E.M. Wright, An Introduction to the theory of numbers, Fifth edition, Oxford University Press, 1979.
H. Lenstra, Factoring integers with elliptic curves, Annals of mathematics 126, 1987.
Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL), available at ftp://ftp.compapp.dcu.ie/pub/crypto/miracl.zip.
R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, vol. 21–2, pp. 120–126, 1978.
RSA Data Security, PKCS #1: RSAEncryption Standard, Nov. 1993. Version 1.5.
RSA Laboratories, PKCS #1: RSACryptography Specifications, Sep. 1998, version 2.0.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Coron, JS., Joye, M., Naccache, D., Paillier, P. (2000). New Attacks on PKCS#1 v1.5 Encryption. In: Preneel, B. (eds) Advances in Cryptology — EUROCRYPT 2000. EUROCRYPT 2000. Lecture Notes in Computer Science, vol 1807. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45539-6_25
Download citation
DOI: https://doi.org/10.1007/3-540-45539-6_25
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-67517-4
Online ISBN: 978-3-540-45539-4
eBook Packages: Springer Book Archive